/info415_sp15

Primary LanguageHTML

    _____   ____________     __ __ _________
   /  _/ | / / ____/ __ \   / // /<  / ____/
   / //  |/ / /_  / / / /  / // /_/ /___ \  
 _/ // /|  / __/ / /_/ /  /__  __/ /___/ /  
/___/_/ |_/_/    \____/     /_/ /_/_____/  
    --- Web Application Security ---

Description

This course will cover the ins and outs of web application security from the perspectives of the developer, administrator, and attacker. We will cover attacks from the all too common Cross-Site Scripting (XSS) attack through Cross-Site Request Forgery (CSRF), SQL Injection (SQLi), all the way to more advanced topics such as hash length extension attacks, cookie tossing, deserialization, and specialized vulnerabilities against common web frameworks.

The goals of this course center around familiarizing students with how to recognize a possible vulnerability, write a proof-of-concept, and provide helpful remediation so that a developer can properly mitigate the issue. The emphasis will be on hands-on learning and the students will be expected to think creatively as they face common defenses and work with unfamiliar frameworks and languages.

Grading

Grade breakdown:

  • midterm: 40%
  • hw: 60%

Late penalty:

  • 10% daily (24hrs from time due)
  • stops at 50% deduction
  • 4 late days to use

Resources

  • Bitsync key: BVJ3RLXHMCWW5AFAVNMB4RRVOLWW72UD7
  • Suggested reading: Web Application Hacker's Handbook

Weekly Schedule

Week 1 - Foundations (March 30 to April 3)

Tuesday

  • introduction
  • class overview
  • threat modeling

Wednesday

  • tools setup
  • capturing traffic

Thursday

  • how the internet works
  • client to server communications
  • browser basics

Homework

  • required
    • none
  • recommended
    • read WAHH chapter 12
    • read WAHH chapter 3

Week 2 - XSS (April 6 to 10)

Tuesday

  • cross-site scripting (XSS)
    • how it works
    • why it's so common
    • why it's bad
    • how to find it
    • how to mitigate
  • reflective XSS
  • stored XSS
  • DOM XSS
  • XSS demos
  • practice: http://xss-quiz.int21h.jp/

Wednesday

  • character encoding
  • unicode security
  • punycode domains

Thursday

  • filter bypass techniques
    • no spaces
    • no script tag
    • XSS via images
    • encoding galore
    • other weirdness
  • do stuff
    • filter bypassing

Homework

  • required
    • XSS challenges
    • pentest report
    • due next thursday

Week 3 - XSS 2 (April 13 to 17)

Tuesday

  • advanced payloads
    • exfiltrating cookies
    • inducing user action
    • fake login forms

Wednesday

  • regular expressions

Thursday

  • guest lecture
  • puzzle

Homework

Week 4 - CSRF & Clickjacking (April 20 to 24)

Tuesday

  • go over last weeks hw
  • CSRF
    • how it works
    • why it's bad
    • how to find it
    • how to mitigate

Wednesday

  • puzzle solution
  • how Tor works

Thursday

  • CSRF demo
  • Clickjacking
    • how it works
    • why it's bad
    • how to mitigate
    • special tactics
  • Clickjacking demo

Homework

  • required
    • CSRF challenges
    • clickjacking challenges
    • pentest report
    • due next thursday
  • recommended
    • read WAHH chapter 9

Week 5 - SQLi (April 27 to May 2)

Tuesday

  • SQL injection
    • how it works
    • why it's bad
    • how to find it
    • how to mitigate
    • how to pull data
    • special tactics
  • SQLi demos
  • SQL practice

Wednesday

Thursday

  • SQL injection practice
    • OWASP Broken Web Application

Homework

  • none

Week 6 - SQLi 2 (May 4 to 8)

Tuesday

  • Advanced SQL injection techniques

Wednesday

  • class canceled

Thursday

  • keyloggers

Homework

  • required 1
    • SQL injection challenges
    • pentest report
    • due next tuesday
  • recommended
    • read WAHH chapter 6
    • read WAHH chapter 7

Week 7 - Authentication (May 11 to 15)

Tuesday

  • session fixation
  • session invalidation issues
  • timing attacks
  • user enumeration
  • insufficient entropy

Wednesday

  • metasploit

Thursday

  • authentication 2.0
    • 2 factor auth schemes
    • single signon

Homework

  • required
    • advanced SQL challenges
    • pentest report
    • due next thursday

Week 8 - Crypto (May 18 to 22)

Tuesday

  • cryptography
    • public/private key
    • forward secrecy
    • hashes
    • stream vs block cipher
    • algorithm modes: ECB, CBC, others

Wednesday

  • bitcoin

Thursday

  • canceled

Homework

  • none

Week 9 - Misc. Attacks (May 25 to 29)

Tuesday

  • canceled

Wednesday

  • business logic attacks

Thursday

  • hash length extension attacks
  • local file inclusion attacks
    • demo

Homework

  • required
    • super secure bank pentest
    • due next thursday
    • pentest report
  • recommended
    • read WAHH Chapter 10 section "Manipulating File Paths"
    • read WAHH Chapter 11 section "Example 12: Racing Against the Login"

Week 10 - Advanced Attacks (June 1 to 5)

Tuesday

  • mass assignment attacks
  • deserialization attacks
  • race conditions

Wednesday

  • testing techniques
  • review

Thursday

  • buffer overflows
  • online challenges

Homework

  • required
    • final
    • starts Friday June 5th 5:30pm (17:30) PST
    • due Tuesday June 9th at 11:45am (11:45) PST